Bug #45790 Potential DoS vector: Writing of user input to log

without proper formatting The problem is that a suitably crafted database identifier supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV, and thereby a denial of service. The database name is printed to the log without using a format string, so potential attackers can control the behavior of my_b_vprintf() by supplying their own format string. A CREATE or DROP privilege would be required. This patch supplies a format string to the printing of the database name. A test case is added to mysql_client_test.
2025-07-30 16:24:05 +03:00 · 2009-07-01 14:09:44 +02:00
parent 19dfaa5824
commit 490f443221
2 changed files with 24 additions and 2 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
      }
      if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
 	break;
-      mysql_log.write(thd,command,packet);
+      mysql_log.write(thd, command, "%s", db);
      bzero(&create_info, sizeof(create_info));
      mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
                      &create_info, 0);
@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
                   ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
 	break;
      }
-      mysql_log.write(thd,command,db);
+      mysql_log.write(thd, command, "%s", db);
      mysql_rm_db(thd, db, 0, 0);
      break;
    }